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Abstract 


Mobile navigation services are used by billions of users 
around globe today. While GPS spoofing is a known 
threat, it is not yet clear if spoofing attacks can truly ma- 
nipulate road navigation systems. Existing works pri- 
marily focus on simple attacks by randomly setting user 
locations, which can easily trigger a routing instruction 
that contradicts with the physical road condition (i.e., 
easily noticeable). 

In this paper, we explore the feasibility of a stealthy 
manipulation attack against road navigation systems. 
The goal is to trigger the fake turn-by-turn navigation 
to guide the victim to a wrong destination without be- 
ing noticed. Our key idea is to slightly shift the GPS 
location so that the fake navigation route matches the 
shape of the actual roads and trigger physically pos- 
sible instructions. To demonstrate the feasibility, we 
first perform controlled measurements by implementing 
a portable GPS spoofer and testing on real cars. Then, we 
design a searching algorithm to compute the GPS shift 
and the victim routes in real time. We perform exten- 
sive evaluations using a trace-driven simulation (600 taxi 
traces in Manhattan and Boston), and then validate the 
complete attack via real-world driving tests (attacking 
our own car). Finally, we conduct deceptive user studies 
using a driving simulator in both the US and China. We 
show that 95% of the participants follow the navigation 
to the wrong destination without recognizing the attack. 
We use the results to discuss countermeasures moving 
forward. 


1 Introduction 


Billions of users around globe are relying on mobile nav- 
igation services today [45]. Ranging from map applica- 
tions (e.g., Google Maps, Waze) to taxi sharing platforms 
(e.g., Uber, Lyft), these services depend on accurate and 
reliable GPS inputs. Recently, GPS systems also start 


to play a major role in navigating autonomous vehicles, 
with a key impact on the driving safety [11]. 

In the meantime, there has been a growing concern 
about the security of GPS applications. GPS is vulnera- 
ble to spoofing attacks where adversaries can inject falsi- 
fied GPS signals to control the victim’s GPS device [55]. 
Such attacks did happen in the real-world, especially tar- 
geting drones and ships. For example, Humphreys et al. 
demonstrated a successful GPS spoofing attack against 
drones in 2012 [28]. In 2013, a luxury yacht was inten- 
tionally diverted from Monaco to Greece by spoofing its 
receiving GPS signals [46]. 

To understand the risks of GPS spoofing attacks, re- 
searchers have explored to build GPS spoofers to spoof 
drones, ships and wearable devices [25,26,61]. However, 
these works mainly focus on simple attacks by setting 
random locations in the target device [25,26,61]. Other 
works have examined GPS spoofing attacks on systems 
in the open environment (e.g., open air/water) such as 
drones and ships [28,46] where a simple GPS change 
could (stealthily) steer their navigation. 

So far, it is still an open question regarding whether 
attackers can manipulate the road navigation systems by 
spoofing the GPS inputs. The problem is critical con- 
sidering that navigation systems are actively used by 
billions of drivers on the road and play a key role in 
autonomous vehicles. At the same time, the problem 
is challenging given that most road navigation systems 
are used (or closely monitored) by human drivers. In 
addition, naive GPS manipulations are unlikely to suc- 
ceed primarily because of the physical road constraints. 
For example, random GPS manipulation can easily cre- 
ate “physically impossible” navigation instructions (e.g., 
turn left in the middle of a highway). Since the possi- 
bility of the attack is not yet clear, most civilian systems 
don’t have any defense mechanisms in place. 

In this paper, we take systematic steps to explore 
the feasibility of manipulating road navigation systems 
stealthy by carefully crafting the spoofed GPS inputs. 


The goal is to manipulate the turn-by-turn navigation and 
guide a victim to a wrong destination without being no- 
ticed. The key intuition is that users are more likely to 
rely on GPS services when navigating in unfamiliar ar- 
eas (confirmed via user study). In addition, most naviga- 
tion systems display the “first-person” view which forces 
users to focus on the current road and the next turn. To 
these ends, if an attacker identifies an attacking route that 
mimics the shape of the route displayed on the map, then 
it is possible to trigger navigation instructions that are 
consistent with the physical environment (e.g., triggering 
the “turning right” prompt only when there is an actual 
right-turn ahead) to avoid alerting users. 

To understand the attack feasibility, we take four key 
steps!. First, we implement a GPS spoofer to per- 
form empirical measurements to understand the attack- 
ers’ practical constraints and capacities. Second, we de- 
sign the attacking algorithms and evaluate them based 
on empirical taxi driving traces. Third, we implement 
the system and validated it using real-world driving tests 
(the attacks are applied to the author’s car, with care- 
ful protections and ethical reviews). Finally, we conduct 
“deceptive” user studies to examine the feasibility of the 
attack with other users (non-authors) in the loop and un- 
derstand key factors to the success of the attack. 


Measurements. We show that adversaries can build a 
portable spoofer with low costs (about $223), which can 
easily penetrate the car body to take control of the GPS 
navigation system. Our measurement shows that effec- 
tive spoofing range is 40-50 meters and the target device 
can consistently latch onto the false signals without los- 
ing connections. The results suggest that adversaries can 
either place the spoofer inside/under the target car and 
remotely control the spoofer, or tailgate the target car in 
real time to perform spoofing. 


Stealthy Attacking Algorithm. To make attack 
stealthy, we design searching algorithms that search for 
attacking routes in real-time. The algorithm crafts the 
GPS inputs to the target device such that the triggered 
navigation instruction and displayed routes on the map 
remain consistent with the physical road network. In 
the physical world, the victim who follows the instruc- 
tion would be led to a wrong route (or a wrong destina- 
tion). We evaluate algorithms using trace-driving simu- 
lations (600 taxi trips in total) from Manhattan [5] and 
Boston [1]. On average, our algorithm identified 1547 
potential attacking routes for each target trip for the at- 
tacker to choose from. If the attacker aims to endanger 
the victim, the algorithm can successfully craft special 
attack route that contains wrong-ways for 99.8% of the 
trips. Finally, the algorithm also allows the attacker to 
pre-define a target destination area to lead the victim to. 


‘Our study received the approval from our local IRB (#17-936). 


Real-world Driving Test. We implemented the al- 
gorithm and tested it by attacking our own car in a real- 
world driving test. We have taken careful protection to 
ensure research ethics (e.g., experiments after midnight 
in suburb areas, appropriate shield and power control). 
We demonstrate the feasibility of the attack to trigger the 
target navigation instructions in real-time while the vic- 
tim (the author) is driving. 


User Study. Finally, we examine the attack feasi- 
bility with users (non-authors) in the loop. Due to the 
risk of attacking real cars, we instead perform a decep- 
tive experiment using a driving simulator. We customize 
the driving simulator to load a high-resolution 3D street 
map of real-world cities. We apply deception by phras- 
ing the study as a “usability test of the driving software”, 
while we perform spoofing attacks during the experiment 
(informed consent obtained afterwards). The user study 
(N = 40) was conducted in both the US and China with 
consistent results. We show the proposed attack is highly 
effective: 38 out of 40 participants (95%) follow the nav- 
igation to all the wrong destinations. Based on our re- 
sults, we discuss possible solutions moving forward. 

In summary, our paper makes three key contributions. 


e We propose a novel attack that manipulates the road 
navigation systems stealthily. The proposed algo- 
rithm is extensively evaluated using real-world taxi 
driving traces. 


e We implement the attack algorithm and a low-cost 
portable GPS spoofer. Real-world measurements and 
driving tests on the road confirm the attack feasibility. 


e We conduct a user study to demonstrate the attack 
feasibility with human drivers in the loop. The results 
provide key insights into how common driving habits 
make users vulnerable. 


We hope the results can help to raise the attention in 
the community to develop practically deployable defense 
mechanisms (e.g., location verification, signal authenti- 
cation, sensor fusion) to protect the massive GPS device 
users and emerging GPS-enabled autonomous systems. 


2 Background and Threat Model 


In this section, we start by providing the background of 
GPS spoofing attacks and describing the unique chal- 
lenges in road navigation scenarios. 


Global Positioning System (GPS). GPS is a space- 
based radio navigation system that provides the geolo- 
cation and time information. To date, it consists of 
31 satellites in medium Earth orbit where each satel- 
lite is equipped with a synchronized atomic clock. Each 
satellite continuously broadcasts GPS information using 


Coarse/Acquisition (C/A) code on L1 band at 1575.42 
MHz and encrypted precision (P/Y) code on L2 band at 
1227.60MHz with 50 bps data rate. P(Y) code is used ex- 
clusively by authorized U.S. military receivers and C/A 
code is not encrypted for general civilian access. 


GPS Spoofing Attacks. Civilian GPS is vulner- 
able to spoofing attacks. GPS spoofing attacks have 
two key steps: First, in the takeover step, attacker lures 
the victim GPS receiver to migrate from the legitimate 
signal to the spoofing signal. The takeover phase can 
be either brute-forced or smooth. In the former case, 
a spoofer simply transmits the false signals at a high 
power, causing the victim to lose track of the satellites 
and lock on to the stronger spoofing signals. In contrast, 
smooth takeover begins by transmitting signals synchro- 
nized with the original ones and then gradually overpow- 
ering the original signal to cause the migration. The ad- 
vantage of smooth takeover is the stealthiness since it 
will not generate abnormal jumps in the received sig- 
nal strength. However, smooth takeover requires special- 
ized hardware to real-time track and synchronize with the 
original signals at the victim’s location (costly) [26,41]. 
Next, in the second step, the attacker can manipulate the 
GPS receiver by either shifting the signals’ arrival time 
or modifying the navigation messages [41, 46]. 


2.1 Threat Model 


In this paper, we explore a novel attack against road navi- 
gation systems by spoofing the GPS inputs. In this attack, 
the victim is a driver who uses a GPS navigation system 
(e.g.,a mobile app) while driving on the road. The victim 
can also be a person sitting in a GPS-enabled self-driving 
car. The attacker spoofs the signals of the victim’s GPS 
receiver to manipulate the routing algorithm of naviga- 
tion system. The attacker’s goal is to guide the victim 
to take a wrong route without alerting the victim (ie., 
stealthy). The attack can be realized for three purposes. 


e Deviating Attack. The attacker aims to guide the 
victim to follow a wrong route, but the attacker does 
not have a specific target destination. In practice, the 
attacker may detour ambulances or police cars to en- 
ter a loop route. 


Targeted Deviating Attack. The attacker aims to 
guide the victim to a target destination pre-defined 
by the attacker, for example, for ambush, robbery or 
stealing a self-driving car. 


Endangering Attack. The attacker aims to guide the 
victim into a dangerous situation, for example, enter- 
ing the wrong way on a highway. 


In our threat model, the attacker has no access to the 
internal software/hardware of the target GPS device or 


those of the navigation service. The attacker also can- 
not modify the navigation services or algorithms (e.g., 
on Google Maps servers). In addition, we assume the at- 
tacker knows the victim’s rough destination area (e.g., a 
financial district, a hotel zone) or the checkpoint that the 
victim will bypass (e.g., main bridges, tunnels, highway 
entrances). In later sections, we will justify why this as- 
sumption is reasonable and design our attack to tolerate 
the inaccurate estimation of the victim’s destination. We 
focus on low-cost methods to launch the attack without 
the need for expensive and specialized hardware. 

Compared to spoofing a drone or a ship [8, 25, 28, 46, 
61]., there are unique challenges to manipulate the road 
navigation systems. First, road navigation attack has 
strict geographical constraints. It is far more challeng- 
ing to perform GPS spoofing attacks in real-time while 
coping with road maps and vehicle speed limits. In ad- 
dition, human drivers are in the loop of the attack, which 
makes a stealthy attack necessary. 

The scope of the attack is limited to scenarios where 
users heavily rely on the GPS device for navigation. For 
example, when a user drives in a very familiar area (e.g., 
commuting from home to work), the user is not necessar- 
ily relying on GPS information to navigate. We primarily 
target people who drive in an unfamiliar environment. In 
addition, the attack will be applicable to self-driving cars 
that rely on GPS and the physical-world road conditions 
for navigation (instead of the human drivers). 


3 Measurement-driven Feasibility Study 


We start by performing real-world measurements to un- 
derstand the constraints of the attacker’s capacity in prac- 
tice. The results will help to design the corresponding 
attacking algorithms in the later sections. 


Portable GPS Spoofer. We implemented a portable 
GPS spoofer to perform controlled experiments. As 
shown in Figure |. The spoofer consists of four com- 
ponents: a HackRF One-based frontend, a Raspberry 
Pi, a portable power source and an antenna. The whole 
spoofer can be placed in a small box and we use a pen 
as a reference to illustrate its small size. HackRF One 
is a Software Defined Radio (SDR). We connect it to 
an antenna with frequency range between 700 MHz to 
2700 MHz that covers the civilian GPS band L1 (1575.42 
MHz). A Raspberry Pi 3B (Quad Core 1.2GHz Broad- 
com BCM2837 64bit CPU, 1GB RAM) is used as a cen- 
tral server. It runs an SSH-enabled Raspbian Jessie op- 
erating system with a LAMP stack server. GPS satellite 
signals are generated by an open-source software called 
Wireless Attack Launch Box (WALB) [6] running on 
Raspberry Pi. The Raspberry Pi has a cellular network 
connection and supports remote access through SSH (Se- 
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Figure 2: Measurement setups. 


cure Shell). By controlling the Raspberry Pi, we can in- 
ject the real-time GPS location information either manu- 
ally or using scripts. We use a 10000 mAh power bank 
as a power source for the entire system. All the compo- 
nents are available off-the-shelf. The total cost is about 
223 US Dollars ($175+$35+$10+$3). 


Measurement Setups. We seek to examine the GPS 
spoofing range, the takeover time delay, and the poten- 
tial blockage effect from the car body. Before and during 
the measurements, we have taken active steps to ensure 
the research ethics and legality. First, the measurement 
was exclusively conducted in China. We obtained a tem- 
porary legal permission from the local radio regulation 
authority in Chengdu, China for conducting the exper- 
iments. Second, we performed the measurements in a 
large outdoor parking lot after midnight when there were 
no people or cars around (with the permission). Third, 
we have carefully tested the GPS signal strength at the 
edge of the parking lot to make sure the signals did not 
affect the outside areas. 

Our measurement focuses on two possible attacking 
cases to spoof the GPS device in a moving car (Figure 2). 
First, the attacker can place the small spoofer in victim’s 
car or stick the spoofer under the car. The attacker then 
can remotely login to the spoofer via SSH to perform 
the attack through a cellular connection. Second, if the 
spoofer cannot be attached to the victim’s car, then the 
attacker may tailgate the victim’s car by driving or flying 
a drone that carries the spoofer. 


Same-Car Setting. In the same car setting, we place 
the smartphone (XIAOMI MIX2 with Android 8.0) as 
the victim GPS device in the dashboard area. Then we 
place the spoofer under the backseat, or in the trunk. At 
each position, we SSH the spoofer to take over the GPS 
lock of the phone. We repeat 10 times and calculate the 


Distance (m) 10 20 30 40 50 60 


Takeover Time (s) | 59.2 | 37.6 | 41.2 | 62.4 | 35.0 | - 


Failure Rate 0 0 0 0 0.2 1.0 


Table 1: Average takeover time and the failure rate. 


average takeover time. The result shows that the average 
takeover time is slightly higher from the trunk (48 sec- 
onds) than that from the backseat (35 seconds), but the 
difference is minor. Note that the takeover is a one-time 
effort. Once the fake signal is locked in, the connection 
can sustain throughout the attack. 


Two-Car Setting. Then we test to place the spoofer 
and the smartphone in two different cars, and examine 
the impact of distance d. We increase d by a step of 10 
meters and measure the takeover time. Cars remain static 
during the measurement. As shown in Table 1, the dis- 
tance does not significantly impact the takeover time, but 
it does affect the takeover success rate. When the dis- 
tance is longer, the takeover is more likely to be unsuc- 
cessful. The effective spoofing range is 40-50 meters. 

We performed additional tests to examine the potential 
blockage effect of other cars on the road. More specifi- 
cally, we placed the spoofer and the smartphone in two 
different cars. Between these two cars, we placed three 
additional cars as the blockage. The result shows the av- 
erage takeover time remains similar (41.2 seconds). To 
further examine the sustainability of the signal lock-in, 
we fix the location of the spoofer’s car, and let the vic- 
tim’s car drive in circles (about 10 mph) while keeping 
a distance for 15 meters. After driving non-stop for 15 
minutes, we did not observe any disconnections, which 
confirms the sustainability. Overall, the results demon- 
strate the possibility of performing the GPS spoofing at- 
tack in practice. 


4 GPS Spoofing Attack Method 


The measurement results demonstrate the initial feasibil- 
ity, and the next question is how to make the attack more 
stealthy. Intuitively, if the attacker randomly changes the 
GPS information of the navigation device, the driver can 
easily notice the inconsistency between the routing in- 
formation and physical road condition. For example, the 
spoofed GPS location may trigger the navigation system 
to instruct a “left turn”, but there is no way to turn left 
on the actual road. In order to make the driver believe 
he is driving on the original route, the key is to find a 
virtual route that mimics the shapes of the real roads. In 
this way, it is possible for the navigation instructions to 
remain consistent with the physical world. Another con- 
tributing factor is that navigation systems typically dis- 
play the first person view. The driver does not see the 
whole route, but instead, focuses on the current route and 
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(c) Actual path of the victim A + C 


Figure 3: An attack example: the victim’s original navigation route is P —> D; At location A, the spoofer sets the GPS 
to a ghost location B which forces the navigation system to generate a new route B — D. Following the turn-by-turn 
navigation, the victim actually travels from A to C in the physical world. 


the next turn, which is likely to increase the attacker’s 
chance of success. 


4.1 The Walk-through Example 


The victim is a traveler to the New York City who is not 
familiar with the area and thus relies on a GPS app to 
navigate. Figure 3a shows the victim is driving from 
Hamilton Park in New Jersey (P) to Empire State Build- 
ing in Manhattan (D). Assume that an attacker takes over 
the victim’s GPS receiver at the exit of the Lincoln Tun- 
nel (A) as shown in Figure 3c. The attacker creates false 
GPS signals to set the GPS location to a nearby “ghost” 
location B. To cope with the false location drift, the nav- 
igation system will recalculate a new route between B 
and D. We call the new route ghost route. On the phys- 
ical road, the victim is still at location A and starts to 
follow the turn-by-turn navigation from the app. At the 
same time, the navigation app is constantly receiving the 
spoofed GPS signals. Eventually, the victim will end up 
at a different place C. Note that the shape of the B —> D 
route is similar with that of the A — C route. Depending 
on the purpose of the attack, the attacker may pre-define 
the target destination C or simply aims to divert the vic- 
tim from arriving the original destination D. 


In practice, when the attacker changed the GPS in- 
formation from A to B, it may or may not trigger the 
“recalculating” voice prompt in the navigation system. 
This depends on where B is positioned. If B still remains 
on the original route (but at a different location from A), 
then there will be no voice prompt. Otherwise, the voice 
prompt could be triggered. This turns out to be less of 
a problem. Our user study (Section 7) shows that users 
often encounter inaccurate GPS positioning (e.g., urban 
canyon effect in big cities) and don’t treat the one-time 
“recalculating” as an anomaly. 


Symbol Definition 

G A geographic area. 

R= {rj} Road segments set. 

C= {ci} Road segment connection set. c; = (71,741). 
L= {ij} Road segment length set. l; = |r;|. 

= {i} Connection turning angle set. Q; = ¢ (ri, ri+1). 


S The merged segment Sy = [ri, TEE |. 


P, D, T Starting point, destination, navigation route. 

To, Ig, Iy Original route, ghost route, victim route. 

Loca, Locg actual location, ghost location. 

Qariftdis Max. drifted distance between Locg and Loca. 
Ve, Va Ghost speed, actual speed. 

speed Max. speed scale factor |(vg — va)|/Va < Qspeed- 


Table 2: Notation and definition. 


4.2 Attack Formulation 


A successful spoofing attack relies on a careful choice 
of the ghost location B. The ghost route B —> D should 
fit the road map starting from A. In addition, the ghost 
location B should be close to A so that there will not be an 
obvious location change on the navigation map screen. 
In the following, we describe our attack objectives and 
constraints. Key notations are listed in Table 2. 


Road Model. As shown in Figure 4, a geographic 
area G is represented by a set of road segments and 
connection points. R is a set of road segments, and 
C = {ci = (rj, ri41)} is a set of connection points. Road 
segments are inter-connected through connection points. 
L defines road segment length. ® quantifies a connection 
point’s turning angle. More specifically, @; = ¢ (ri, ri+1), 
Qi € [—2,7). We use the counterclockwise convention to 
calculate the angle [4]. @; > 0 and 9; < 0 indicate a left 
and right turn respectively. 


Navigation Route. Given a starting point and a des- 
tination point, a navigation route I is calculated by the 
navigation system represented by road segments: I = 
(r1,r2,---;%n). In practice, navigation systems typically 
tell people to keep driving along the road crossing mul- 
tiple segments before a turn is required. To this end, we 


Figure 4: Road model example. 


further merge adjacent road segments. If the turning an- 
gle at connection point (rj, ri+1 ) is below a certain thresh- 
old 6 (say 30°), these two road segments can be merged. 
After merging such road segments, the navigation route 
is rewritten as I = ($1, Sp,..., Sm). 

Consider a victim is following an original route To 
to a destination D. At some point, an attacker launches 
the spoofing attack to change the victim’s GPS from its 
actual location Loc, to a nearby ghost location Locg. 
This will trigger the navigation system to recalculate 
a new route from Loc, to D as the ghost route Ty = 
(Seis Sg2, -Sgn ). Consequently, the victim will follow 
navigation instructions from I’, and will end up travers- 
ing a victim route I, = (Sy, , Svz, ---, Sym). In our attack, T, 
should match T`, in terms of road segments and connec- 
tions. Note that I, might contain wrong-way segments 
(if S,,’s direction is against the traffic) or loops (if $, has 
the same starting and ending point). 


Attack Objective. Given the victim’s current lo- 
cation Loc, and destination D, the attack ATK aims 
to identify feasible victim routes and the associated 
ghost location Loc, and ghost route Ty. We de- 
fine O = ATK(G,D, Loca) = {01,02,...,0%}, where o; = 
(Tvi, T g; LO0Cg;) such that Fy; matches I',,. If the attacker 
aims to divert the victim to a pre-defined destination area 
C, then the attacker only needs to search the o; where Ty; 
bypasses C. 


Constraints. The constraint Q includes two ele- 
ments. (1) Location drift constraint Q4riftDis Which de- 
fines the maximum drifted distance between Loc, and 
Loca at the beginning of the attack, i.e., ||Locg —Loca|| < 
Quariftpis. This is to avoid obvious location change on the 
navigation map screen. (2) Speed scale factor constraint 
Qsneed that limits the ghost speed vg within a reasonable 
range, i.e., |(Ve — Va)|/Va < Qspeea. The above practical 
constraints can be set to different values by attackers in 
different situations, e.g., depending on the awareness of 
the human users and the navigation system. 


5 Detailed Attack Algorithm Design 


Next, we describe the detailed design of our attack al- 
gorithm. The attack algorithm contains two key com- 
ponents: road network construction and attack route 


search, For any target geographic area, we construct the 
road network from public map data. This is a one-time 
effort and can be computed offline. In our study, we use 
the data from OpenStreetMap to build a road network 
G. Based on the graph, we introduce two algorithms to 
search the attack routes. The algorithms will return a 
list of potential attack-launching positions and the corre- 
sponding victim routes. Using the searching algorithms, 
the attacker can also specify a target destination (area) to 
divert the victim to. 


5.1 Basic Attack Design 


Given graph G, victim’s current location Loca, destina- 
tion D and constraints Q, we design a basic search algo- 
rithm for the ghost locations and victim routes. Before 
introducing the algorithm, we clarify on a few assump- 
tions. First, given a starting point and a destination, the 
attacker needs to compute a navigation route T° similar 
to what the victim has. by querying the navigation ser- 
vice that the victim is using (e.g., Google Maps APIs). In 
addition, the attacker knows the victim’s actual location 
Loca. For the same-car setting (e.g., spoofer is attached 
under the victim car), our spoofer is able to tell the fake 
GPS signals and the real signals apart, and send the vic- 
tim’s actual location back to the attacker. For the tailgat- 
ing model, the victim is within the sight of the attacker, 
and thus Loc, is known. 

Regarding the victim’s destination D, it is not neces- 
sarily the final destination. It can be simply a rough area 
(e.g., financial district, hotel zone) or a location check- 
point (e.g., main bridges, tunnels, highway entrances) 
that the victim will bypass. The intuition is simple: for 
two nearby destinations, the navigation system will re- 
turn two routes whose early portions are similar (or even 
identical). With an estimated D, the attacker can generate 
a valid ghost route to match the early portion of the vic- 
tim’s route, which is sufficient to trigger the fake turn-by- 
turn navigation instructions. In practice, attackers may 
obtain D from different channels, such as the target user’s 
social media location check-ins, destination broadcasting 
in taxi-hailing services, and identifying the checkpoints 
that the user must traverse (e.g., the Lincoln Tunnel en- 
trance when traveling between New Jersey and Manhat- 
tan). Technically, attackers can also probe the victim’s 
destination area by sequentially drifting the ghost loca- 
tion and observing the reactive movements of the victim, 
which has shown to be feasible [46]. 

As illustrated by Algorithm 1, the basic algorithm be- 
gins by selecting a ghost location Loc, from all the con- 
nection points within the distance bound Q4;;f;pis from 
the actual location Loca. Then, a ghost navigation route 
T's = (Sp, ,Sg5,+--Se,,) from the ghost location to the des- 
tination is calculated. In order to find as many victim 


Input: G,D,Loca, QdriftDis , speed 
Output: O = {01,02,...,0x}, 0; = (Ty, Tg, Locg); 
1: Initialization: O + 0 
2: Preprocessing: Find all candidate ghost current locations 
{ Log, ,LoCg,,..., LOCgy } within QariftDis distance from Loca 
3: for i= 1 to N do 
4: Tg = (Sgi Sg» ---Sgm ), Where I’, is obtained through an API 
getNavigationRoute(G, Locg,, D) 
5: Uo = {[rac]}, where Loca € rac 
6: U, ,U2,...,Um <9 
T: for j = 1 to m do 
8 


if Uj—ı == 0 then 
9: break 
10: end if 
11: for u € U;_; do 
12: v + u.end point 
13: for s € segments with starting point of v do 
14: if s has passed the search criteria then 
15: Append u.append(s) to Uj 
16: end if 
17: end for 
18: end for 
19: end for 
20: end for 
21: return O 


ALGORITHM 1: Basic attack algorithm 


routes as possible, we traverse the graph from the actual 
location via an m-depth breadth-first search. We keep 
the candidate routes that satisfy the following criteria at 
every step: 


e Turn Pattern Matching: To make sure the navigation 
instructions of the ghost route can be applied to the 
victim route, we need to match the turn patterns of 
the two routes: @ (Sv, Sv; ) and @(S¢,,5¢,,,) E same 
maneuver instruction category. 


e Segment Length Matching: Given a speed scale fac- 
tor Qspeed, the travel distance of the ghost should be 
within (1 + Qspeea) times the victim’s actual travel 
distance on each segment, namely, (1 — Qspeed )' Sv; < 
Se, < (1+ Qspeca) - Sy;- This guarantees segment 
length on the ghost and victim route is similar. 


In the worst case, the computational complexity is ex- 
ponential to the number of road segments connected by 
one intersection. However, thanks to the searching crite- 
ria, the unqualified victim routes can be terminated in the 
very early stage. 


5.2 Iterative Attack Design 


In basic attack, the attacker only shifts the GPS position 
once from Loca to Locg. Here, we propose an itera- 
tive attack, which allows the attacker to create multiple 
drifts at different locations, while the victim is driving. 
By iteratively applying the basic attack algorithm, the 
attack performance can be significantly improved since 
partially matched victim-ghost routes can be used for 


Input: G,D, Q4riftDis, Aspeed> Oo, 1, attack goal 
Output: O;, where i= 1,2,...,7—1 
1: Initialization: carryover T, + 0, carryover T. go 0, 
O; — 0,1 =1,2,...,1 
2: for i= 1 to7-— 1 do 
3 if attack goal has been achieved then 
4 return 
5: end if 
6: U1, U2, ...,Um + Oi-1 
T for j = 1 to m do 
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; if U; = 0 then 
9: break 
10: end if 
11: for u in Uj do 
12: Ty, + Oii lu] 
13: for k = start; to end; do 
14: Append basic_attack(G,D,T¢,,|k]) to O; 
15: Append T, [: k] to carryover_Tg[u| 
16: Append L,,,[: Å] to carryover T, [u] 
17: end for 
18: end for 
19: end for 
20: Save (Oi, carryover T y carryover T g) 
21: end for 
22: return 


ALGORITHM 2: Iterative attack algorithm 


searching new routes as the victim moves. As shown 
in Algorithm 2, for each iteration, we first check if the 
attack goal has been achieved. If not, we create another 
location shift on the new ghost route segments from the 
previous iteration, and apply the basic searching algo- 
rithm. The attacker goal can be “reaching a pre-defined 
destination” or “entering a wrong way”, which helps to 
terminate the searching early. 


5.3 Targeted Deviating Attack 


With the above searching algorithms, the attacker may 
launch the attack by specifying a target destination area. 
More specifically, attacker can divide the geographic 
area into grids (width w) and then pick one of the grids as 
the target destination. Then the attacker can run the ba- 
sic or iterative algorithm to compute all the possible vic- 
tim routes and identify those that bypass the pre-selected 
grid. The attacker can terminate the searching algorithm 
earlier once a victim route hits the destination grid. In- 
tuitively, the success of the attack depends on the road 
map of the city and the size of the grid (w). There is 
also a limit on how far away the target destination can be 
set given the condition of the original route. We provide 
detailed evaluations in the next section. 


6 Attack Evaluation 


Next, we evaluate the proposed algorithms using both 
trace-driven simulations and real-world driving test. Our 
simulation is based on empirical driving traces collected 


from Manhattan and Boston. Given different attack 
goals, we seek to understand how well the algorithms can 
identify the qualified ghost routes and ghost locations. 
Then we implement algorithms and conduct real-world 
driving tests to validate the attack feasibility in real-time. 


6.1 Simulation Experiments 


Our attack is more suitable to run in the cities where the 
road networks are dense. We use the maps of Manhattan 
(NY) and Boston (MA) since the two cities have differ- 
ent road networks [39] to test our algorithm under differ- 
ent road conditions. For example, Manhattan has more 
regular grids with a 17.8° standard deviation of turn an- 
gles, while Boston has more curvy roads (20.5° standard 
deviation). In addition, Manhattan has a lower road seg- 
ment density (51 segments/km”) compared with that of 
Boston (227 segments/km7). We construct the road net- 
work based on the OpenStreetMap database [39]. 


Driving Trace Dataset. To examine the attack per- 
formance on realistic driving trips, we obtain taxi trip 
datasets from NYC Taxi and Limousine Commission 
(TLC) [5] and the Boston taxi trace dataset used by MIT 
Challenge [1]. We randomly select 600 real-world taxi 
trips (300 per city). These traces cover the large area 
and various road types (visualization is in Appendix-A). 
The average length of the routes is 900m in Manhattan 
(MAN) and 2000m in Boston (BOS). 


Evaluation Configurations. For each taxi trip, we 
exhaustively run the search algorithm at each road seg- 
ment to identify all the possible attack locations (and the 
corresponding ghost locations and victim routes). This 
provides a “ground-truth” on the possible attack options 
available to the attacker. Then we discuss how these op- 
tions meet the attacker’s goals. 


For constraint parameters, we set the maximum drift 
distance Qariftbis = 400m. A measurement study shows 
that a GPS drift of less than 400m is common during ac- 
tive driving [10]. In addition, given the speed limits in 
the two cities are 25 to 30 mph, we set Qspeed = 0.2 as- 
suming a 5—6 mph speed offset is unnoticeable. For iter- 
ative attack, we run two iterations as a comparison with 
the basic attack. Our algorithm also requires calculating 
the “turning angle” to compare the shape of the roads. 
We follow Waze’s standard [7] to identify the continu- 
ous road ([—30°, 30°]]), left/right-turn ([30°, 170°]), and 
U-turn ({170°, 180°]). We implement the algorithms in 
Python, and run the evaluation on a server with a 192GB 
RAM and 24 cores. 


6.2 Evaluation Results 


The performance metric depends on the specific goal of 
the attacker. Recall in our threat model (Section 2.1), 
we defined three types of attacks which need different 
evaluation metrics. Below, our metrics are all based on 
each of the taxi trips (per-trip metric). 


Deviating Attack. If the attacker simply aims to 
divert the victim from reaching the original destination, 
the evaluation metric will focus on the number of victim 
routes available to the attacker, and the diverted distance 
for each road segment on victim routes. More specifi- 
cally, given road segment r, and the original navigation 
route T, = (r1,12,.--,/n), the diverted distance for r, is 
y, where ||r, — r;|| is the 


distance between two road segments. By running the ba- 
sic algorithm, we successfully identify at least one vic- 
tim route for all the 600 taxi trips. On average, each 
trip has 335 qualified victim routes, indicating a wide 
range of attack opportunities. The iterative algorithm (it- 
eration i = 2) identified many more victim routes (3,507 
routes per trip). Note that for BOS-I, the results are based 
on 260 trips with distance capped at 6000m. Figure 5a 
shows average diverted distance per trip. Again, the iter- 
ative algorithm is able to identify victim routes that are 
further away from the victim’s original routes. On aver- 
age, about 40% of the trips can be diverted 500 meters 
away. 

One specific goal of the Deviating Attack could be 
delaying the victim’s trip by leading the victim to loop 
routes. Given a taxi trip, we examine whether there ex- 
ists a victim route that contains a loop. Using the basic 
algorithm, we find at least one loop victim route for 256 
out of 300 (85.33%) taxi trips in Manhattan, and 294 out 
of 300 (98%) trips in Boston. 


Targeted Deviating Attack. If the attacker aims to 
divert the user to a pre-defined location, the evaluation 
metric will focus on hit rate. For a given taxi trip, the 
hit rate reflects how likely a victim route can bypass the 
attacker-defined destination to achieve targeted diverting. 
Given a taxi trip, we first circle an area around the taxi 
route as the considered attack area. The area is of a sim- 
ilar shape of the taxi route with a radius of r (i.e., any 
location inside this area has a distance shorter than r to 
the taxi route). We divide the area into grids (width w). 
The attacker can pick a grid inside the area as the target 
destination. Hit rate is the ratio of the grids that the vic- 
tim can be diverted to over all the grids in the attack area. 
An illustration is available in Appendix-B. 

Figure 5b shows the hit rate of the basic attack. We set 
the grid size as w=500m and then vary the radius r of the 
considered area. The result shows that we can achieve 
about 70%, 47%, 20% median hit rate in Manhattan with 
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(d) Hit rate (grid size= 200m, iterative attack) 
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Figure 5: Attack results in Manhattan (MAN) and Boston (BOS). B = Basic Attack; I = Iterative Attack; M500 = 
Manhattan with a 500m grid size; B500 = Boston with a 500m grid size. 


r= 500m, 1000m, and 2000m respectively. This indicates 
that even a randomly selected destination grid is highly 
likely to be reachable. No surprisingly, victim routes get 
sparser when it is further away from the original route. 
Note that even with 20% hit rate in 2000m range, if the 
attacker provides three candidate target destination grids, 
the success rate will be higher 1 — (1 — 0.2)? = 48.8%. 
Comparing Figure 5b and Figure 5c, we show that a 
larger grid leads to a higher hit rate. In practice, attacker 
can use a larger grid if he can tolerate some inaccuracy 
of the target destination i.e, the victim is led to a nearby 
area instead of the exact target location. 


Figure 5d shows that the iterative attack algorithms 
can significantly increase the hit rate (blue lines) com- 
paring to those of the basic algorithm (red lines). In ad- 
dition, Figure 5e shows that iterative algorithm also sig- 
nificantly increases the total number of bypassed grids by 
all the victim routes, i.e. the number of potential target 
destinations for the attacker. 


Endangering Attack Result. If the attacker aims 
to endanger the victim, then we focus on the wrong-way 
rate. Given a taxi trip, we aim to find at least one victim 
route that contains a wrong way segment. The basic al- 
gorithm identified a wrong-way victim route for 599 out 
of the 600 taxi trips (99.8%). Notably, 90.4% of trips 
have the victim routes that contain a highway type of 
wrong way segment, which incurs real danger. 


Boston vs. Manhattan. Boston has denser road net- 
works and irregular road shapes. Manhattan has a sparser 
and grid-like road network. The road network features 
affect the attack performance. As shown in Figure 5b and 
Figure 5c, the smaller grid size helps Boston to reduce 
the hit rate deficit against Manhattan, since the dense 
road segments in Boston allow us to divert the victim 
to more precise destinations. In addition, since Boston 
has more irregular roads, it is more difficult to search 
for a long victim route that matches the ghost route. On 
the contrary, Manhattan’s grid-like road structure yields 
a better match for long victim routes as shown in Fig- 
ure 5a. Our attack works for small cities, but will yield 
fewer options for attackers (validated in our real-world 
driving test). 


Original Destination Estimation. Recall that to run 
the attack algorithm, the attacker needs some knowledge 
about D, the original destination of the victim. Here, 
we evaluate the impact of the inaccurate estimation of 
D. More specifically, given a true D, we randomly set 
an estimated D’ that is within 200m, 500m or 1000m. 
Using D’, we generate the estimated route, and then cal- 
culate the overlapped portion with the original route. As 
shown in Figure 5f, even if the estimated destination is 
not accurate, there are enough overlapped segments (in 
the beginning) that can help to generate the victim routes. 
For example, even with 1000m error, the attacker can di- 


(a) On-Route Attack (b) Off-Route Attack 


Figure 6: The original routes and victim routes in the 
real-world driving tests. 


vert the victim using the first half of the ghost navigation 
route (medium 0.5 overlap rate). 


Computation Time Delay. The ghost route search- 
ing can be completed within milliseconds for the basic 
attack. The average searching time for one ghost lo- 
cation candidate is 0.2ms in Manhattan and 0.3ms in 
Boston. The iterative attack takes a longer but accept- 
able time: 0.13s in Manhattan and 0.32s in Boston. Note 
that attacker can always pre-compute the route (within a 
minute) before the victim arrives the attack location. 


6.3 Real-world Driving Tests 


We implemented the full attack algorithm and validated 
the feasibility through real-world driving tests. Two au- 
thors performed the same-car attack using our own car. 
One author acted as the driver (victim) who strictly fol- 
lowed the navigation instructions from the Google Maps 
(v9.72.2) running on the phone (XIAOMI MIX2 with 
Android 8.0 and HUAWEI P8 with Android 6.0). The 
other author sat on the backseat to operate the spoofer 
and ran the attack algorithm on a laptop. As previously 
stated, the spoofer can tell apart the fake GPS signals 
with the real ones, and thus the attacker knows the true 
location of the victim. The goal of the real-world driving 
tests is to examine if the spoofer can trigger the fake nav- 
igation instruction in real-time right before users need to 
make a navigation decision. 

Similar as early measurements, we obtained a legal 
permission from the local radio regulation authority, and 
conducted the experiments exclusively in China. In addi- 
tion, we have taken active steps to make sure the spoof- 
ing signals did not affect innocent users or cars. More 
specifically, we performed our measurements in a sub- 
urb area after midnight when there were almost no other 
cars on the road. To minimize the impact of the spoof- 
ing signals, we reduce the transmit power of the spoofer 
to the minimum (-40 dBm) and then use attenuators (30 
dB) to reduce the signal strength after locking in. The 
metal structure of the car also acts as a shield to contain 
the spoofing signals (about 15 dB attenuation). In addi- 


tion, there is another -42.41 dB free space propagation 
loss at a two-meter distance. This means, beyond two 
meters away from the car, the signal strength is already 
very weak (about -127.41 dBm), which cannot take the 
lock of any GPS devices. 

In total, we tested on two different routes as shown 
in Figure 6. In both screenshots, lines A —> D represent 
original routes. Blue lines stand for ghost routes, while 
black lines stand for victim routes. A is the user’s ac- 
tual location and B is the corresponding ghost location. 
C is the user’s diverted destination, D is the original des- 
tination. In the first case (Figure 6a), the attacker set the 
ghost location to another location on the original route. 
Our test showed that this indeed can avoid triggering the 
“re-calculating” voice prompt. The route took nine min- 
utes and the driver was successfully diverted to the pre- 
defined location 2.1 kilometers away from the original 
destination. In the second case (Figure 6b), the attacker 
set the ghost location off the original route, which trig- 
gered a “re-calculating” voice prompt. This time, the 
driver drove five minutes and was diverted 2.5 kilometers 
away. In both cases, the smartphone was locked to the 
spoofed signal without dropping once. The sequences 
of fake locations were fed to the phone smoothly with 
a 10Hz update frequency. Despite the potential cross- 
checks of heading and filters embedded in Google Maps, 
the navigation instructions were triggered in time. 


7 Attacks with Human in the Loop 


Next, we examine how stealthy the attack can be to hu- 
man drivers (victims) through a user study. As previously 
stated, the attack focuses on people who drive in the un- 
familiar locations because they would be more likely to 
rely on the GPS navigation (instead of their own knowl- 
edge of the roads). We will also check the validity of 
this assumption in the user study. Our study cannot in- 
volve attacking human subjects when they drive real cars 
due to safety implications. Instead, we conduct a de- 
ceptive user study in a simulated environment using a 
customized driving simulator. Our study received the ap- 
proval of our local IRB (#17-936). 


7.1 User Study Methodology 


Our user study examines three high-level research ques- 
tions. RJ: how do users use GPS navigation systems in 
practice? R2: under what conditions is the GPS spoof- 
ing attack more likely to deceive users successfully? R3: 
what are the user perceptions towards the GPS spoofing 
attack? We explore the answers with three key steps: pre- 
study survey, driving tests, and post-study interview. To 
avoid alerting the participants, we frame the study with a 
non-security purpose, stating that the study is to test the 


(a) Experiment Setups 


(b) ETS II Game View 


(c) Google Street View 


Figure 7: User study setups; The ETS II Game View is comparable to the Google Street View at the same location. 


usability of our simulation software. We debrief users 
after the driving test to obtain the informed consent. The 
study takes about 50 minutes and we compensate each 
participant $10. 


Pre-study Survey. The survey asks two questions: 
(1) how often do you use GPS navigation services when 
driving in familiar locations (e.g., home and work) and 
unfamiliar locations (e.g., visiting a new city). (2) what 
information provided by the navigation service do you 
primarily rely on during driving? 


Driving Tests. To simulate a realistic driving sce- 
nario, we build a simulator by modifying a popular driv- 
ing simulation game “Euro Truck Simulator II’ (ETS 
II) [2]. We use ETS II for three reasons. First, the game 
presents the first-person view with realistic vehicle inte- 
rior and dashboard. In addition to the front view, the par- 
ticipant can easily move the view-angle (to see through 
the passenger window and the backseat) by moving the 
cursor. This provides a wide view range to the partic- 
ipant. Second, the simulator can load real-world maps 
where the 3D street view mimics the reality. Figure 7b 
and Figure 7c show the side-by-side companion of the 
game view (of a 3:1 map) and the actual street view (from 
Google Street View) at the same location. Because the 
street view is rendered in a high-resolution, the street 
signs and road names are clearly displayed. Third, the 
simulator SDK allows us to control the day-and-night 
settings and special weather conditions. We provide a 
demo video under this link’. 

For the driving test, we simulate attacking a victim 
who drives in a new city. We display the driver’s view 
on a 22 inch LED display (1920 x 1200) and load a 3:1 
map of Budapest in Hungary [3], which is considered an 
unfamiliar city for our participants. At the same time, we 
run Google Maps on an Android smartphone as the nav- 
igation app. The app provides turn-by-turn navigation, 
and the voice prompt reads the street names. The smart- 
phone is placed in front of the LED display (near the 
“dashboard” area) as shown in Figure 7a. For ethical and 


Demo: https: //www.dropbox.com/sh/h9zq8dpw6y0w120/ 
AABZikKCUOhe44Bu1CtHZzHLta 
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(b) Victim Route 
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Figure 8: The original and victim route for the user study. 


legal reasons, we cannot directly spoof the GPS signal 
of the smartphone. Instead, the smartphone runs a dedi- 
cated app (developed by us) to fetch GPS sequences from 
a server. The server reads the GPS information from the 
driving simulator in real time and generates fake loca- 
tions for the smartphone. In this way, we can directly 
manipulate the GPS read of the smartphone for the user 
study. 


To examine user reactions to the attack, we assign 
each participant driving tasks. The participants will drive 
to deliver packages to a given destination following the 
navigation of Google Maps. Figure 8 shows the driving 
routes used in our user study. Figure 8a shows the orig- 
inal route that the participant is supposed to take. Fig- 
ure 8b shows the route to which the attacker aims to de- 
tour the participants. This route is chosen because it con- 
tains a high-way in the victim route, and only local-ways 
in the original route. These are the clear discrepancies for 
the victim to recognize. We tune two parameters: driving 
time (day or night) and weather (rainy or clear). The par- 
ticipant will deliver the package four times (on the same 
route) in this order: “rainy night”, “clear night”, “rainy 
day”, and “clear day”. This order makes it easier to rec- 
ognize the attack in the end than at the beginning. The 
experiment stops whenever the participant recognizes the 
attack. Note that the attack covers the takeover phase 
when the phone loses the GPS signal for a while and then 
jumps to a new location. 


To help the participants to get familiar with the driving 
simulator, we spend about 5—10 minutes to let the partic- 


ipants play with the simulator before the real tests. We 
also use the time to train the participants to “think-aloud” 
— expressing their thoughts and actions verbally. Dur- 
ing the real test, we encourage the participants to think- 
aloud and record the audio. 


Post-study Interview. In the interview, we first de- 
brief the participants about the real purpose of the study. 
Second, we ask about their perceptions towards GPS 
spoofing attacks. Third, we let the participants comment 
on the key differences between using the driving simu- 
lator and their real-world driving. The participants can 
withdraw their data at any time and can still receive the 
full compensation. 


Recruiting Participants. We performed the user 
study in both the U.S. and China. The user study ma- 
terials have been translated into the respective languages 
of the participants. Given that the study requires the par- 
ticipants to physically come to the lab (and stay for about 
one hour), we cannot perform the study on a massive 
scale. With a limited scale, our goal is to recruit a diverse 
sample of users. We distribute our study information on 
social media, user study websites, and student mailing 
lists. We recruited 40 participants (20 in the U.S. and 20 
in China). Among the 40 participants, there are 30 male 
and 10 female. 17 people are 26-35 years old, and 20 
people are 18-25, and 3 people are 36-50. Regarding 
the driving experience, 22 people drive for <3 years, 16 
people drive for 3—10 years, and 2 people drive for 10-20 
years. Our participants are slightly biased towards tech- 
savvy users: 20 users (50%) have a Computer Science 
background. 


7.2 User Study Results 


Driving and Navigation Habits. Users are more 
likely to use GPS navigation systems when traveling in 
unfamiliar areas. We ask users to rate how often they 
use GPS in “familiar”, “not-too-familiar’ and “unfamil- 
iar” areas with a scale of 10 (1=never; 10=almost every 
time). The U.S. participants’ the average score for un- 
familiar places is much higher (7.85) than familiar loca- 
tions (4.55). The results from China are consistent (10.0 
vs. 3.93). This means, our attack may not be applicable 
to familiar area since people don’t rely on GPS. 

Users are more likely to rely on the voice prompt 
and visual instructions than the textual information. We 
present a Google Maps screen and ask which informa- 
tion the participant typically rely on to make driving de- 
cisions (a multi-choice question). In the U.S., 13 users 
(68.4%) choose voice prompt, 11 users (57.9%) rely on 
visual elements such as road shapes and arrows, and only 
6 users (31.6%) choose textual information such as street 
names. The results from China are consistent. These re- 


sults are in favor of our attack, which is designed to ma- 
nipulate the voice and the visual elements. 


User Reactions to GPS Spoofing Attacks. Our at- 
tack has achieved a high successful rate (95%). Out of 40 
people, only one U.S. participant and one Chinese partic- 
ipant recognized the attack. The rest 38 participants all 
finished the four rounds of driving tasks and followed the 
navigation to reach the wrong destinations. 

Both participants recognized the attack because they 
detected certain inconsistency between the navigation in- 
formation and the surrounding environment on the road. 
The U.S. participant (user#38, m, 18-25, driving <3 
years) recognized the attack during the second round 
(clear night). He was driving on a high way with a gas 
station on his right when he realized that the Google 
Maps showed that he was on a local way without a gas 
station nearby. He also checked the street signs and rec- 
ognized the inconsistent road names. The Chinese par- 
ticipant (user#5, m, 26-35, driving <3 years) recognized 
the attack during the first round (rainy night), alerted by 
the “highway and local way” inconsistency. 

During the driving task, we observe that almost all 
the participants noticed when the GPS signals are lost 
during the takeover phase (about 30 seconds), but still 
kept driving on the road. Once the GPS signal came 
back, they continued to follow the navigation instruc- 
tions. Our interview later shows most users have expe- 
rienced malfunctioned GPS before, which is not enough 
to alert them. 


User Perceptions to the Attack. During the in- 
terview, we find that most users have experienced GPS 
malfunction in real life. 95% of the users commented 
that they experienced GPS malfunction in real life such 
as losing GPS signals and wrong positioning. User#39 
stated that she even had a car accident due to the poor 
GPS signals. Some users mentioned that it could be very 
challenging to check road signs constantly. For exam- 
ple, user#03 stated “the roads in the U.S. all look sim- 
ilar. Sometimes I notice the road signs, but not when 
I drive fast’. In addition, users do not understand how 
GPS spoofing works, Among the 40 participants, only 
eight users can explain GPS spoofing correctly. 

We encourage the participants to comment on the 
differences between using the simulator and real-world 
driving. The most common response is the usage of 
the keyboard and mouse to control the car for steering 
and acceleration. User#10 also commented that they can 
drive more recklessly in the simulation game: “The most 
different part is that you are afraid of nothing. You are 
not afraid of red lights, crashing either.” These are the 
limitations of the controlled and simulated studies. 


Discussion. Overall, the results show that our at- 
tacks are highly effective even when human drivers are 


Mechanism $ Cost Deploy. Overhead | Effectiveness | Robustness 
Encryption & authentication [29,64] High High High High 
Modif.-based | Ground infrastructures [12,27, 36,49, 50] High High High High 
GPS receiver hardware [24, 31,35, 40, 47, 73] Medium High High High 
GPS receiver software [32, 35,47, 48, 55, 63, 65] Low Low Low Low 
External location verification [23,70] Low Low Low Low 
ae Internal sensor fusion [19,57] Low Low Low Low 
Modif.-free — z 
Computer vision [13, 42,69] Low Low Medium Unknown 


Table 3: Comparison of different countermeasures. 


in the loop. The results also point out three types of 
inconsistencies that are likely to alert users: (1) incon- 
sistency between highway and local ways; (2) inconsis- 
tent street names; (3) inconsistent landmarks (e.g., gas 
station). More advanced attacks can further avoid the 
“highway - local way” inconsistency by filtering out such 
routes. The other two factors depend on whether the 
driver has the habit (and has the time) to cross-check 
the surrounding environment. In addition, our interview 
reveals that most people have experienced GPS malfunc- 
tion in real life, which makes them more tolerable to GPS 
inconsistencies. In addition, since people are more likely 
to rely on visual and voice prompt, it increases the at- 
tacker’s probability of success. Our study still has limi- 
tations, which are discussed at the end of the paper. 


8 Discussion and Countermeasures 


Our study demonstrated the initial feasibility of ma- 
nipulating the road navigation system through targeted 
GPS spoofing. The threat becomes more realistic as 
car-makers are adding auto-pilot features so that hu- 
man drivers can be less involved (or completely disen- 
gaged) [38]. In the following, we discuss key directions 
of countermeasures. 

In Table 3, we classify different methods based on 
whether (or how much) they require modifications to 
the existing GPS. Modification-based methods require 
changing either the GPS satellites, ground infrastruc- 
tures, or the GPS receivers. Modification-free methods 
typically don’t need to change existing GPS, which make 
them more attractive to be adopted. 


Modification-Based Approaches. First, the most ef- 
fective solution is to upgrade the civilian GPS signals to 
use the P(Y) code encryption. Researchers also proposed 
signal authentication for next-generation GNSS (Global 
Navigation Satellite System) [29,64]. However, this ap- 
proach is extremely difficult to prevail in a short term, 
given the massive number of civilian GPS devices al- 
ready shipped and deployed in the short term. 

Second, trusted ground infrastructures to help GPS de- 
vices to verify the location and related techniques include 
trusted verifiers, distance bounding protocols [12, 49], 
multilateration [50], multi-receiver crowdsourcing [27] 
and physical-layer feature checks [36]. However, due to 


the constraints in government policies, and the signifi- 
cant costs, dedicated ground infrastructures are also un- 
likely to be widely deployed. 

Finally, we can modify the GPS receivers. For ex- 
ample, the angle-of-arrival of signals can help to esti- 
mate the transmitter’s location for authenticity check. 
This requires a large directional antenna array [35], or 
special moving antenna [47]. Such hardware modi- 
fications are not applicable to the billions of mobile 
phones. At the software level, consistency-check algo- 
rithms can help to detect the side effects of non-smooth 
GPS takeover [32, 63,65]. In addition, the GPS receiver 
can also lock on additional satellites [48] or synchronize 
with other GPS receivers [55] to identify spoofing. How- 
ever, these methods often suffer from the multi-path ef- 
fect and are vulnerable to smooth takeovers [26]. 


Modification-Free Approaches. First, location 
verification can leverage existing GNSS signals (e.g., 
Galileo, GLONASS, Beidou) [23], and wireless network 
signals [70]. These external location verifications help 
but cannot stop the attacker completely because civilian 
GNSS signals are also unencrypted. The attacker can 
perform multi-signal jamming or spoofing against both 
signals [26]. Similarly, the network location is based on 
the MAC address of the WiFi or cell tower ID, which can 
also be jammed or spoofed [43, 56]. 

In addition, a navigation system may cross-check the 
GPS locations with dead reckoning results based on in- 
ertial measurement unit (IMU) sensors (e.g., accelerom- 
eter, gyroscope, magnetometer) [19,57]. However, this 
method in general suffers from accumulative IMU sensor 
errors and becomes ineffective as the time drifts. 


Computer Vision based Location Verification. | We 
believe a promising defense direction is to use com- 
puter vision techniques to automatically cross-examine 
the physical-world landmarks and street signs with the 
digital maps. Recall that in our user study, the two partic- 
ipants recognized the attack in a similar way. Given the 
proliferation of cameras/LIDARs on mobile devices and 
vehicles, vision-based location verification only requires 
software level upgrade. So far, vision-based techniques 
can accurately localize vehicles (up to 3m) using visual 
odometry and road maps [13,42]. SLAM (Simultane- 
ous Localization And Mapping) can also localize images 
based on geo-referenced street view databases [69]. 


What remains unknown is the robustness of vision- 
based methods against adversarial manipulations. Re- 
cent works [18,67] demonstrated that image classifiers 
can be easily fooled by adding small adversarial noises 
to the input (e.g., a street sign image). In our scenario, 
although it is very unlikely for adversaries to modify all 
the physical street signs and landmarks along the road, 
the high sensitivity of image classifiers is still a potential 
concern. Recently, researchers have proposed methods 
to enhance the robustness of image classifiers [22,33,66]. 
Further research is needed to understand the feasibility of 
vision-based location verification. 


Study Limitations. In this work, we optimize the 
GPS spoofing attack to be stealthy, which has to compro- 
mise on other factors. First, the effectiveness of our at- 
tack will be decreased in suburb or rural area with sparse 
road structures. However, given that 54% of the world’s 
population lives in urban areas [9], the attack can po- 
tentially impact many people. Second, the attack does 
not work on all users. We target users who travel in un- 
familiar area since those users are more likely to rely 
on the GPS for navigation. We also argue that the in- 
creasingly popular auto-pilot systems would weaken the 
human-level checking in the long run. 

Our user study has several limitations. First, to sim- 
ulate traveling in an unfamiliar area, we choose a Eu- 
ropean city. It is possible that Hungarian street names 
are less understandable to Chinese/American. However, 
even in the US, many streets have Spanish street names. 
Second, due to the length and the depth of the user study, 
the study cannot reach a massive scale. There are biases 
in our user population (e.g., people with a Computer Sci- 
ence background). We argue that the general population 
can be more susceptible compared to tech-savvy users. 
Third, our study only tested on one route, and the route 
does not contain wrong-ways or loops. In practice, once 
users enter the wrong way, they may recognize the attack 
(but already in danger). 


9 Related Work 


GPS spoofing attack was first systematically discussed 
in [59]. To date, researchers and hackers have suc- 
cessfully spoofed GPS devices in moving trucks [62], 
ships [46], drones [28] and mobile platforms [25,61] us- 
ing off-the-shelf GPS signal simulator [62] or software 
defined radios [25, 28, 46,61]. Humphreys ef al. have 
demonstrated seamless GPS takeover on a moving yacht 
with a portable receiver-spoofer [26]. Later, an attach- 
able miniature version one called “limpet spoofer” was 
proposed in [16]. Similar technical concepts were also 
used in [37,41] to develop spoofing devices. In [55], 
authors provided in-depth analysis and summarized re- 


quirements for seamless GPS takeover. However, above 
works focus on basic signal spoofing, making them un- 
like to succeed in road navigation scenarios. 


Recently, a number of privacy attacks have been pro- 
posed in road navigation scenarios to infer user move- 
ments [60]. Narain et al. proposed a route matching 
algorithm to infer user movement traces based on mo- 
tion sensor data [39]. Our work differs from them in 
terms of the attack goals and methods. Our goal is to 
stealthily manipulate/control the victim’s navigation sys- 
tem by supplying fake inputs (i.e. GPS signals) at the 
right time. [71] preliminarily formulated the route spoof- 
ing problem. Compared to [71], we have made signif- 
icant contributions by proposing new attack algorithms 
(e.g., iterative attack, targeted diverting attack), and more 
importantly conducting real-world driving tests and user 
studies to validate the feasibility. 


GPS spoofing belongs to the broad category of sen- 
sor manipulation. Researchers have examined attacks on 
other sensors such as camera, fingerprint sensor, med- 
ical infusion pump, analog sensors, and MEMS sen- 
sors [14, 15, 17, 20, 21, 30, 34, 44, 52, 54,58, 72]. Some 
of the attacks specifically target (autonomous) vehicles 
to disrupt their ultra-sonic sensor, millimeter-wave radar, 
LIDAR, and wheel speed sensor [51,53,68]. The unique 
contribution of our work is to demonstrate the feasibility 
of (GPS) sensor manipulation with both physical con- 
straints (road networks) and human in the loop. 


10 Conclusion 


In this paper, we explored the feasibility of real-time 
stealthy GPS spoofing attacks targeting road navigation 
systems. Real-world driving tests, taxi-trace evaluations, 
and human-in-the-loop user study results all confirmed 
high attack effectiveness and efficiency. We hope that 
the results can motivate practical defense mechanisms 
to protect the massive GPS users and GPS-enabled au- 
tonomous systems. 
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Appendix-A: Taxi Route Visualization 


Figure 9 visualizes the 600 taxi routes in Manhattan 
and Boston that are used for our evaluation. In our ex- 
periments, the considered area in Manhattan is 10.64 
kmx7.38 km with a latitude range (40.7003, 40.7959) 
and a longitude range (-74.0180, -73.9308). The con- 
sidered experiment area in Boston is 8.52km x 10.60km 
with a latitude range (42.3134, 42.3885) and a longitude 
range (-71.1435, -71.0149). As shown in Figure 9, the 
taxi routes are concentrated in the downtown areas in 
both respective maps. 


Te re zá M 
(a) 300 taxi routes in Manhattan. 


(b) 300 taxi routes in Boston. 


Figure 9: Visualization of taxi routes in Manhattan and 
Boston. 


Appendix-B: Attack Area and Grids 


In the Targeted Deviating Attack, the attacker aims to di- 
vert the user to a pre-defined location. Our evaluation 
metric will focus on hit rate. In the following, we briefly 
explain how to calculate the hit rate. For a given taxi 
trip, the hit rate reflects how likely a victim route can by- 
pass the attacker-defined destination to achieve targeted 
diverting. Figure 10 shows how we define the attack area, 
radius r and divide the grids. Given an attack area with 
the radius of r, the attacker can pick a grid inside the area 
as the target destination. Hit rate is the ratio of the grids 
that the victim can be diverted to over all the grids in the 
attack area. 


Figure 10: Illustration of the attack area and grids. 


